Transport networks in gridlock, public services knocked offline and vast quantities of citizen data stolen. A scene of absolute pandemonium.
That description sounds like the premise of a Hollywood production. A mega-budget disaster film starring whatever A-list celebrity one can imagine.
However, according to the National Cyber Security Centre (NCSC), a chaotic incident such as this could one day be a reality for ‘smart city’ inhabitants.
New guidance issued by the cybersecurity centre outlines how ‘connected places’, including smart cities and connected rural environments, can be protected against major cyber-attacks.
The expert guidance offers advice on how local authorities can secure smart cities, underlying infrastructure and protect the huge volumes of data used in their day-to-day running.
The cities of the future are smart cities
The publication of this guidance comes at a time when towns and cities across Britain are becoming increasingly connected, with the use of sensors and web-connected devices helping to streamline and enhance services.
Indeed, smart city technology is already being put to good use in cities globally, with sensors helping to monitor pollution levels and cut down on carbon emissions.
Smart tech also helping to tackle congestion in urban environments, with sensors used to provide real-time information on the availability of parking spaces and the flow of traffic.
In an ideal world it makes sense for connected devices to be deployed at scale. Long-term this will enable authorities – at both local and national level – to meet net-zero targets, improve how towns and cities are run, and, essentially make our lives that little bit easier on a daily basis.
- DIGIT Movers and Shakers | April 2021
- Online fraud must be dealt with, Westminster told in open letter
- New financial management solution to support Storegga Project portfolio
But while the deployment of connected technologies in urban environments may provide an additional degree of convenience, it also comes with significant risks.
The various technologies which form the core of a ‘smart city’ are prime targets for cybercriminals and state-sponsored hackers. In fact, the NCSC says that if one single system within a smart city were to be compromised, this would “potentially have a negative impact across the network”.
In essence, the whole house of cards comes crashing down. A devastating cyber-attack would likely disrupt the day-to-day running of a major city, drawing services to a standstill and even threatening lives.
The hard reality is that smart cities offer hackers a tantalising opportunity to wreak havoc. That’s why the NCSC wants to prepare local authorities for any eventuality, according to technical director Ian Levy.
“Connected physical environments are just emerging in the UK, so now is the time to make sure we’re designing and building them properly,” he explains in a blog post published online.
“Because, as these ‘connected place’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors,” Levy adds.
Hype and hysteria
This all sounds rather hysterical and a bit over the top. However, as Levy notes, we’ve already witnessed Hollywood depictions of similarly-styled cyber-attacks, albeit in a primitive form. And one specific depiction appears to be fairly accurate.
Released in 1969, ‘The Italian Job’ starring Michael Caine features a cyber-attack against the centralised traffic management system in Turin.
By taking down this system, the protagonists are able to capitalise on the ensuing chaos and flee from authorities with millions of pounds in gold bullion.
And while much has changed since 1969, Levy warns that computers now play a far more a crucial role in our day-to-day lives. They’re woven into the very fabric of a modern city. And that can be dangerous.
“Lots of things have changed since then,” he says. “But computers do control more aspects of our physical lives than ever before, across interconnected systems of increased complexity.”
“A similar ‘gridlock’ attack on a 21st century city would have catastrophic impacts on the people who live and work there, and criminals would likely need physical access to the traffic control system to do it,” Levy adds.
Barrier Networks CISO, Jordan Schroeder echoes Levy’s sentiment on the potential widespread impact of a cyber-attack on smart city functions, especially given the rise of ransomware.
In recent years, we have seen the devastating impact that cyber-attacks can have on public services. The infamous 2017 WannaCry ransomware attack knocked NHS systems across the country offline, forcing some health practitioners to work with pencil and paper.
More recently, ransomware has affected local authorities in England and impacted Scottish public services, with the Scottish Environmental Protection Agency falling prey to an attack in December 2020.
Previously, Schroeder has been engaged in research exploring the impact of ransomware in industrial IoT environments. And while the current level of impact attackers have is limited, he says attackers are “quickly learning” how to inflict serious damage.
“With the right vulnerabilities and a lack of appropriate protections, attackers could take full control over industrial IoT,” he explains. “And given the right conditions, attackers could take over a connected city.”
Notably, he adds, protective measures aimed at preventing such a catastrophic scenario are “well known and easily included in smart city design”, so unless we see a major development in the capability of cybercriminals or state-sponsored hackers, the chances of a city-killing attack are low at present.
A measured approach
Crucially, Schroeder welcomes the NCSC announcement as a positive step toward initiating a “useful discussion” on the security ramifications of connected cities.
However, he also believes there is still a fundamental lack of understanding over the potential risks involved. Nonetheless, the long-term rollout of smart city tech can be achieved sustainably and safely.
Local authorities have no crystal ball through which to gaze into the future, so all steps forward must be tentative and measured.
“I think we are inherently blind to the risks, not because we are not knowledgeable or clever enough, but because the risks are obscured. The concept of smart cities is new, and we cannot possibly fully comprehend every threat that a fully connected city might bring,” Schroeder says.
“However, the benefits to a city’s residents and the environment within and without the city can be massive, and I think it is worth taking measured, careful steps in the direction of making our cities smarter,” he adds.